So a relative of mine is married to a doctor. This doctor is somewhat abrasive and had a falling-out with a business partner, who was the only one who had access to their HIPAA-compliant encrypted records at their practice. This business partner left and wouldn't tell anyone what the password to their records was.

Which would have been a huge crisis if the relative of mine in question hadn't dumped the RAM and found that the actual encryption keys were stored as plaintext and the user-chosen password was just checked against a hash to set a boolean variable for whether or not to use it; options for access were to flip the boolean, change the stored hash, or grab the key and manually decrypt. There was basically no way a motivated attacker wasn't going to be able to crack it.

So ... cryptography seems to be implemented wrong some or all of the time. Whoda thunk it?